SoylentNews is people
SoylentNews
https://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html
The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration's post-Sept. 11 expansion of national security powers.
The agency is no longer collecting Americans' emails and texts exchanged with people overseas that simply mention identifying terms — like email addresses — for foreigners whom the agency is spying on, but are neither to nor from those targets.
The decision is a major development in American surveillance policy. Privacy advocates have argued that the practice skirted or overstepped the Fourth Amendment.
The change is unrelated to the surveillance imbroglio over the investigations into Russia and the Trump campaign, according to officials familiar with the matter. Rather, it stemmed from a discovery that N.S.A. analysts had violated rules imposed by the Foreign Intelligence Surveillance Court barring any searching for Americans' information in certain messages captured through such wiretapping.
Though I'm personally wondering why now.
(Score: 2) by Whoever on Monday May 01 2017, @06:24AM (2 children)
And you should get a clue.
TLS is becoming near universal for SMTP. And email doesn't travel between many relays.
(Score: -1, Troll) by Anonymous Coward on Monday May 01 2017, @06:35AM (1 child)
Wow! That's grrrreat! Now when you say "becoming near universal" you mean Gmail, right? Man, you're so right, just do all your email on gmail. In fact don't even call it email anymore. Call it gmail because that's what it is, it's gmail.
Tell you what, I tried to send some gmail to a blogger who runs his own gmail swerver, and you know what happened, my gmail was returned because mr blogger never set up a mx record for his gmail swerver. I guess that guy won't be getting any more gmail, huh?
Compatibility, what the fuck is it, I don't even.
(Score: 1, Interesting) by Anonymous Coward on Monday May 01 2017, @01:59PM
Maybe? I'm not sure exactly what you're saying so this is kind of long-winded.
Data in motion encryption for email at this point is mostly a solved problem. One site's relay hands directly off to the recipient's relay, and it's easy to verify encryption by checking the logs.
I understand. I'm one of those crypto nerds who wants to be able to use GPG and similar for everything, just because you can't be sure.
It's a lot better than 10 years ago when I started my current job. Back then I was warning everybody who wanted reports that might contain Protected Health Information protected by HIPAA that they needed to install GPG4WIN because "email is insecure." Now, I'm not a compliance person and my employer isn't a Covered Entity, so I'm sure somebody will tell me that server-to-server TLS won't protect somebody from getting in trouble with HIPAA/HITECH because of insert fiddly lawyer speak here (oh and btw, license this secure "email" service that's not even SMTP but some web-based jazz from $big_business to solve that problem!).
Once TLS became pretty much bog standard for everybody except, who was it?, Yahoo? some-odd big webmail provider that for whatever reason doesn't do TLS last I checked (but not AOL of all providers, they do TLS as well), there really was no reason to insist on a client-side solution anymore.
...as you might have been trying to say (hard to tell), the biggest problem is people using free gmail accounts (and I've even come across some AOL addresses!) to receive reports that may contain confidential information, especially if it's not PHI (and thus the HIPAA people don't give a fuck about it--why should they?). Sure, the data in motion is secure, but the data at rest is most assuredly not.
To attempt to address the article, perhaps what the NSA is saying in a weasel word way, is that the NSA itself is no longer doing the collection, but they've got new Room 641As installed at Google, Yahoo, M$, etc. Why bother with attempting to break TLS between MTAs when everybody these days is handily storing their emails on centralized services?